[Oisf-users] ICMP is OK but no TCP and no UDP

[Bernhard]

Hello to all,

I am using suricata on CentOS 7.5 in an AF_PACKET setup and ICMP packets
are copied as expected between both interfaces. TCP and UDP is'nt
working at all. A SYN is leaving but I do not see any legal SYN-ACK,
only retransmissions. The stat.log does not complain about any packet
drops and the counters are increasing by incomming packets. I'm a bit
clueless what's wrong with this setup. Anyone willing to help?

# suricata --dump-config|grep af-packet
af-packet = (null)
af-packet.0 = interface
af-packet.0.interface = eth1
af-packet.0.cluster-id = 99
af-packet.0.copy-iface = eth2
af-packet.0.threads = auto
af-packet.0.defrag = yes
af-packet.0.cluster-type = cluster_flow
af-packet.0.copy-mode = ips
af-packet.0.buffer-size = 32768
af-packet.0.tpacket-v3 = no
af-packet.0.ring-size = 2048
af-packet.0.use-mmap = yes
af-packet.0.mmap-locked = yes
af-packet.0.checksum-checks = no
af-packet.1 = interface
af-packet.1.interface = eth2
af-packet.1.cluster-id = 98
af-packet.1.copy-iface = eth1
af-packet.1.threads = auto
af-packet.1.defrag = yes
af-packet.1.cluster-type = cluster_flow
af-packet.1.copy-mode = ips
af-packet.1.buffer-size = 32768
af-packet.1.tpacket-v3 = no
af-packet.1.ring-size = 2048
af-packet.1.use-mmap = yes
af-packet.1.mmap-locked = yes
af-packet.1.checksum-checks = no
af-packet.2 = interface
af-packet.2.interface = default